Guiyang Institute of Information TechnologyNetwork andInformation security management measures
Act 1 总则
Article one In order to further strengthen the college's network information security management and improve the ability and level of network information security protection, according to the Guiding Opinions of the Ministry of Education on Strengthening Network and Information Security Work in the Education Industry (2014] 4), "Ministry of Education and Public Security on Comprehensively Promoting the Education Industry Information security level protection Notice" (Education Technology [2015] No. 2), "the People's Republic of China Network Security Law" and other requirements, combined with the actual conditions of our institute, formulated these measures。
Article 2 按照"Who is in charge who is responsible, who is responsible for the operation and maintenance, who is responsible for the use of who is responsible" principle, the establishment of a sound network information security responsibility system, the college单位Teachers, students and staff must fulfill the responsibility of network information security in accordance with these measures and other relevant standards。
Act 2 Management structure and responsibilities
Article 3 Guiyang Institute of Information TechnologyThe network information security work leading group is responsible for the information network security work of the college, and the leader of the leading group is the first person responsible for the information network security work of the college。
Article 4 Party and mass work DepartmentResponsible for the supervision and monitoring of the content of the College website (including the secondary website), and cooperate with itInformation centerTo organize publicity, education and training on network information security。
Article 5 Information centerIt is the centralized management department of the College's network information security, responsible for coordinating the college's network information security work。Specific responsibilities include:
(1) To formulate overall plans for network information technology security and organize their implementation;
(b) to formulate network information technology security management rules and regulations;
(3) Organize and carry out the work of information system security level protection;
(D) Responsible for network information security emergency management, coordinate and handle the relationship with the government network information security management department;
(5) To be responsible for the supervision and inspection of network information technology security;
(6) Responsible for the construction, operation and maintenance, technical guidance and service support of the network information technology security protection system。
Article 6 Each college单位是本单位The main responsibility of network information security management, the main person in charge is Ben单位The first person responsible for network information security and management shall be responsible for implementing network information security in accordance with these Measures。
Act 3 Campus network security management
Article 7 Campus network refers to the computer network connecting various information systems and information terminals within the campus, including campus wired network, wireless network and various virtual private networks。
Article VIII Campus planning management department, construction department andInformation centerJointly responsible for the unified planning of the campus network。The college's capital construction and renovation projects shall include the construction of campus network network in the scope of the project design, implementation and completion acceptance。
The ninth article The campus network is logically isolated from the Internet byInformation centerUnified export, unified management and protection。Each college单位On campus, individuals are not allowed to access the Internet and other public information networks through other channels without authorization。
Article ten Information centerMeasures such as access control, security audit, integrity check, intrusion prevention and malicious code prevention should be taken to strengthen campus network boundary protection。
Article 11 Campus network users access the campus network, implementation"Real-name registration, authentication online" system;The non-secret information system of the college is connected to the campus network, and the access approval system is implemented, and the secret information system is generally not allowed to access the campus network。
Act Four Data center security management
Article 12 The data center mainly includes the physical environment supporting the college information system (including the computer room), hardware and software equipment facilities, cloud computing platform, central database, data sharing and exchange platform, unified identity authentication platform and unified information portal and other information infrastructure and platforms。
Article 13 Information centerResponsible for the construction, operation and security management of data center physical environment, hardware and software equipment facilities and cloud computing platform单位Responsible notebook单位Application system permission management and security。
Article 14 Information centerResponsible for the construction and security management of the college center database and data sharing exchange platform。各单位Responsible for the construction and maintenance of this单位Business application system supporting the business database, and this单位Responsible for the security of the business database and the requested shared data。
Article 15 Each college单位Information system construction should be carried out based on the college data center. Information systems involving the college's basic data, personal information of teachers, students and employees, or sensitive information must be deployed in the college data center。
Article 16 Information centerImplement access management for the use of the college's data center, and be responsible for formulating technical specifications and standards for the use of the data center. Only the information system that meets the technical specifications and standards can be put into operation。
Chapter Five Information system security management
Article 17 In accordance with the principles of synchronous planning, construction and operation, the College plans, designs, builds, operates and manages information system security facilities, establishes and improves the information system technical security protection system, and fully implements the information system security level protection system。
Article 18 Information centerResponsible for coordinating the security level protection of the college's information system and organizing the college单位Carry out information system grading, system filing, grade evaluation and construction rectification;Specifically responsible for information system ledger management, grade review, system filing, and assist the college单位Carry out system grading and construction rectification。
Article 19 Information system test environment and operation environment should be strictly isolated.Information centerResponsible for the construction, operation, maintenance and management of the above environment。
Article 20 Information system construction单位Can be self-directed or commissionedInformation centerMaintain the information system, or entrust other units to maintain the information system according to actual needs;Core information systems involving important business or a large number of teachers, students and staff information and information systems above the second level of security (including the second level) should, in principle, be controlled byInformation center维护。
Article 21 Information system construction单位Regular security audits should be carried out on terminal computers and key equipment (servers, security equipment, network equipment) responsible for the operation of network and information systems. By recording and checking system and user activity information, system vulnerabilities should be discovered in time and abnormal access and operations should be handled。
Article 22 Information system data (refers to all kinds of electronic data collected, stored, transmitted, processed and generated by information systems,Including but not limited to website content, business data, log records, etc.) owners are responsible for data security management,Management and technical measures should be implemented,Regulate the collection, storage, transmission and use of data,Ensure data security。
Article 23 Information system data collection should be followedUnder the principle of "at least enough", personal information not related to the business services of the information system shall not be collected。Personal information is collected in accordance with the principle of "who collects, who is responsible"单位Is responsible for the protection of personal information subject, shouldTo ensure the integrity of information, the personal information collected shall be kept strictly confidential。
Article 24 Information centerResponsible for the backup and recovery management of the school's core information system, making backup and recovery plans, backing up important data and information systems, periodically testing backup and recovery plans, and ensuring the effectiveness of backup data and backup resources。
Act 6 Website security management
Article 25 Guiyang Institute of Information TechnologyWebsite meansGuiyang Institute of Information TechnologyHome and to“Guiyang Institute of Information Technology"Named department website,Guiyang Institute of Information TechnologyAll types of websites are subject to approval procedures。
Article 26 Guiyang Institute of Information TechnologyThe information management and content review of the home page are maintained by the College office,Party and mass work DepartmentDivision of labor and responsibility,Information centerProvide technical support and guarantee;The content security of the College's various websites is operated by the website单位Responsible, the site's management responsibility is relevant单位In charge of leadership, responsible for Ben单位Website information security。
Article 27 各单位We should establish a sound website information release and review system, determine the list of personnel responsible for content editing, content review and content release, clarify the review and release procedures, and keep relevant operation records。
Article 28 各单位To ensure the data security of the website and system security, formulate disaster recovery filing measures for important databases and major equipment of the system。Record and retain at least60 days system maintenance logs。
Article 29 In principle, each college单位The website shall not provide electronic announcement services. If necessary, such electronic announcement services can only be provided after approval;Website providing electronic bulletin service, launched单位To assume the main responsibility for the content management of electronic announcement services, and implement special security management and technical measures in accordance with relevant state regulations。
Act 7 Terminal computer security management
Article 30 Terminal computers refer to all kinds of computers and ancillary equipment, including desktop computers, laptops and other mobile terminals, used by teachers and students of the College and engaged in teaching, scientific research, management and life activities of the college。
Article 31 The terminal computer user followsThe principle of "he who uses, he who is responsible", the responsibility for the custody and safe use of its terminal computer,Information centerProvide technical assistance and guidance for terminal computer security management。
Article 32 The terminal computer shall set the system login account and password, and the terminal computer user shall do a good job of daily data management and protection, and regularly backup data。A non-classified computer may not store or process classified information。
Article 33 Terminal computer users should take good security precautions against terminal computers, and should immediately disconnect the network and report any abnormal system behavior or other security problems that may be caused by viruses or attacksInformation centerDispose of。
Article 34 Party and mass work DepartmentResponsible for the supervision and inspection of college information content。For bad and harmful information, should be the first time to contact the relevant单位process。If any illegal or criminal act is involved, the case shall be reported to the public security organ immediately。
Act 8 Storage media security management
Article 35 Storage media refers to the carrier for storing data, including non-removable storage media such as hard disks and storage arrays, and removable storage media such as mobile hard disks。
Article 36 Storage arrays and other large capacity media should be set up in the College data center, and byInformation centerUnified operation, maintenance and management。Information centerNecessary technical measures should be taken to prevent the risk of data leakage and ensure the security of stored data。
Article 37 各单位Mobile storage media management system should be established, media users in accordance withThe principle of "he who uses, he who is responsible" has the responsibility for the custody and safe use of its mobile media。
Article 38 Non-classified mobile storage media shall not be used to store classified information and shall not be used on classified computers。Users of storage media should pay attention to storage content management, and sensitive information should be removed in advance for media sent out for repair or destruction。
Article 39 Before connecting the mobile storage media to the terminal computer, check and kill malicious codes such as viruses and trojans。
Act 9 Personnel safety management
Article 40 Each college单位A sound foundation should be established单位Network information security responsibility system, clear posts and personnel's network information security responsibility。Computer users and managers in key positions should sign information security and confidentiality agreements to specify information security and confidentiality requirements and responsibilities。
Article 41 Each college单位It should strengthen the management of personnel leaving their posts and dimission, terminate all the access rights of relevant personnel to the network information system in time, and recover the hardware and software equipment related to the network information system provided by the college。
Article 42 Each college单位An approval system should be established for external personnel to visit important areas such as the computer room. External personnel must be approved before entering, and staff should be arranged to accompany them on site to record and save the visit activities。
Act 10 Network information security emergency management
Article 43 Information centerResponsible for the overall management and technical support of the college's network information security emergency work, responsible for the development of the college's network information security incident reporting and disposal process, and the college's network information security emergency plan。
Article 44 Information centerShould be improved24-hour network information security emergency duty system to improve the prevention, early warning and response capabilities of network information security incidents。
Article 45 Each college单位Emergency report and disposal, in-process report and disposal, and post-rectification report and disposal should be carried out in accordance with the college's information security incident reporting and disposal process。
Article 46 Each college单位Teachers, students and staff have the obligation to timely reportInformation centerReport information security incidents and do not publicize, attempt or exploit discovered security vulnerabilities or security issues without authorization。
Chapter 11 Network information security responsibility investigation
Article 47 The College establishes information security responsibility investigation and backward investigation mechanism, relevant单位After receiving the notice of rectification of network information security within a time limit, rectification shall be made in a timely manner;If the rectification is ineffective, the college will give a notice to criticize;Where serious consequences are caused by dereliction of duty or dereliction of duty, the relevant personnel shall be investigated for their responsibilities according to discipline and law。
Article 48 Each college单位Report and properly handle network information security incidents timely and truthfully according to the network information security incident reporting and disposal process;In case of concealment, delayed reporting, inadequate disposal and rectification, the College will respond to the relevant circumstances单位The responsible person shall make an interview or report。
Article 49 If teachers, students and employees violate the provisions of these Measures, they shallInformation centerOrder correction;Those who refuse to make corrections or cause serious consequences such as endangering information technology security shall be given disciplinary sanctions according to relevant regulations of the College;Those who violate the criminal law shall be transferred to the judicial organs for handling。
Chapter 12 附 则
Article 50 The final interpretation of these measures shall be vestedParty and mass Work Department,Information center。
